| blob | 10e3f51ed8c5f5df96437b12e1e5611a3ed6070a |
1 /*
2 * mod_fastcgi.c --
3 *
4 * Apache server module for FastCGI.
5 *
6 * $Id: mod_fastcgi.c,v 1.87 2000/04/06 05:29:25 robs Exp $
7 *
8 * Copyright (c) 1995-1996 Open Market, Inc.
9 *
10 * See the file "LICENSE.TERMS" for information on usage and redistribution
11 * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
12 *
13 *
14 * Patches for Apache-1.1 provided by
15 * Ralf S. Engelschall
16 * <rse@en.muc.de>
17 *
18 * Patches for Linux provided by
19 * Scott Langley
20 * <langles@vote-smart.org>
21 *
22 * Patches for suexec handling by
23 * Brian Grossman <brian@SoftHome.net> and
24 * Rob Saccoccio <robs@ipass.net>
25 */
27 /*
28 * Module design notes.
29 *
30 * 1. Restart cleanup.
31 *
32 * mod_fastcgi spawns several processes: one process manager process
33 * and several application processes. None of these processes
34 * handle SIGHUP, so they just go away when the Web server performs
35 * a restart (as Apache does every time it starts.)
36 *
37 * In order to allow the process manager to properly cleanup the
38 * running fastcgi processes (without being disturbed by Apache),
39 * an intermediate process was introduced. The diagram is as follows;
40 *
41 * ApacheWS --> MiddleProc --> ProcMgr --> FCGI processes
42 *
43 * On a restart, ApacheWS sends a SIGKILL to MiddleProc and then
44 * collects it via waitpid(). The ProcMgr periodically checks for
45 * its parent (via getppid()) and if it does not have one, as in
46 * case when MiddleProc has terminated, ProcMgr issues a SIGTERM
47 * to all FCGI processes, waitpid()s on them and then exits, so it
48 * can be collected by init(1). Doing it any other way (short of
49 * changing Apache API), results either in inconsistent results or
50 * in generation of zombie processes.
51 *
52 * XXX: How does Apache 1.2 implement "gentle" restart
53 * that does not disrupt current connections? How does
54 * gentle restart interact with restart cleanup?
55 *
56 * 2. Request timeouts.
57 *
58 * The Apache Timeout directive allows per-server configuration of
59 * the timeout associated with a request. This is typically used to
60 * detect dead clients. The timer is reset for every successful
61 * read/write. The default value is 5min. Thats way too long to tie
62 * up a FastCGI server. For now this dropdead timer is used a little
63 * differently in FastCGI. All of the FastCGI server I/O AND the
64 * client I/O must complete within Timeout seconds. This isn't
65 * exactly what we want.. it should be revisited. See http_main.h.
66 *
67 * We need a way to configurably control the timeout associated with
68 * FastCGI server exchanges AND one for client exchanges. This could
69 * be done with the select() in doWork() (which should be rewritten
70 * anyway). This will allow us to free up the FastCGI as soon as
71 * possible.
72 *
73 * Earlier versions of this module used ap_soft_timeout() rather than
74 * ap_hard_timeout() and ate FastCGI server output until it completed.
75 * This precluded the FastCGI server from having to implement a
76 * SIGPIPE handler, but meant hanging the application longer than
77 * necessary. SIGPIPE handler now must be installed in ALL FastCGI
78 * applications. The handler should abort further processing and go
79 * back into the accept() loop.
80 *
81 * Although using ap_soft_timeout() is better than ap_hard_timeout()
82 * we have to be more careful about SIGINT handling and subsequent
83 * processing, so, for now, make it hard.
84 */
89 #ifndef timersub
90 #define timersub(a, b, result) \
91 do { \
92 (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \
93 (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \
94 if ((result)->tv_usec < 0) { \
95 --(result)->tv_sec; \
96 (result)->tv_usec += 1000000; \
97 } \
98 } while (0)
99 #endif
101 /*
102 * Global variables
103 */
120 * fastcgi apps' sockets */
144 /*******************************************************************************
145 * Construct a message and write it to the pm_pipe.
146 */
150 {
158 }
170 }
177 }
178 }
180 \f
181 /*
182 *----------------------------------------------------------------------
183 *
184 * init_module
185 *
186 * An Apache module initializer, called by the Apache core
187 * after reading the server config.
188 *
189 * Start the process manager no matter what, since there may be a
190 * request for dynamic FastCGI applications without any being
191 * configured as static applications. Also, check for the existence
192 * and create if necessary a subdirectory into which all dynamic
193 * sockets will go.
194 *
195 *----------------------------------------------------------------------
196 */
198 {
201 /* Register to reset to default values when the config pool is cleaned */
210 /* keep these handy */
214 /* Create Unix/Domain socket directory */
218 /* Create Dynamic directory */
222 /* Create the pipe for comm with the PM */
225 }
227 /* Spawn the PM only once. Under Unix, Apache calls init() routines
228 * twice, once before detach() and once after. Win32 doesn't detach.
229 * Under DSO, DSO modules are unloaded between the two init() calls.
230 * Under Unix, the -X switch causes two calls to init() but no detach
231 * (but all subprocesses are wacked so the PM is toasted anyway)! */
232 #ifndef WIN32
235 #endif
237 /* Start the Process Manager */
242 }
245 }
247 /*
248 *----------------------------------------------------------------------
249 *
250 * get_header_line --
251 *
252 * Terminate a line: scan to the next newline, scan back to the
253 * first non-space character and store a terminating zero. Return
254 * the next character past the end of the newline.
255 *
256 * If the end of the string is reached, ASSERT!
257 *
258 * If the FIRST character(s) in the line are '\n' or "\r\n", the
259 * first character is replaced with a NULL and next character
260 * past the newline is returned. NOTE: this condition supercedes
261 * the processing of RFC-822 continuation lines.
262 *
263 * If continuation is set to 'TRUE', then it parses a (possible)
264 * sequence of RFC-822 continuation lines.
265 *
266 * Results:
267 * As above.
268 *
269 * Side effects:
270 * Termination byte stored in string.
271 *
272 *----------------------------------------------------------------------
273 */
275 {
286 p++;
287 }
290 p++;
291 }
292 }
293 }
297 end++;
299 /*
300 * Trim any trailing whitespace.
301 */
303 p--;
304 }
308 }
309 \f
310 /*
311 *----------------------------------------------------------------------
312 *
313 * process_headers --
314 *
315 * Call with r->parseHeader == SCAN_CGI_READING_HEADERS
316 * and initial script output in fr->header.
317 *
318 * If the initial script output does not include the header
319 * terminator ("\r\n\r\n") process_headers returns with no side
320 * effects, to be called again when more script output
321 * has been appended to fr->header.
322 *
323 * If the initial script output includes the header terminator,
324 * process_headers parses the headers and determines whether or
325 * not the remaining script output will be sent to the client.
326 * If so, process_headers sends the HTTP response headers to the
327 * client and copies any non-header script output to the output
328 * buffer reqOutbuf.
329 *
330 * Results:
331 * none.
332 *
333 * Side effects:
334 * May set r->parseHeader to:
335 * SCAN_CGI_FINISHED -- headers parsed, returning script response
336 * SCAN_CGI_BAD_HEADER -- malformed header from script
337 * SCAN_CGI_INT_REDIRECT -- handler should perform internal redirect
338 * SCAN_CGI_SRV_REDIRECT -- handler should return REDIRECT
339 *
340 *----------------------------------------------------------------------
341 */
344 {
354 /*
355 * Do we have the entire header? Scan for the blank line that
356 * terminates the header.
357 */
366 flag++;
377 }
378 p++;
379 }
381 /* Return (to be called later when we have more data)
382 * if we don't have an entire header. */
386 /*
387 * Parse all the headers.
388 */
396 }
399 }
402 p--;
403 }
406 }
411 }
413 value++;
414 }
421 }
425 }
430 }
436 }
440 }
445 }
449 }
451 /* If the script wants them merged, it can do it */
454 }
457 }
458 }
463 /*
464 * Who responds, this handler or Apache?
465 */
468 /*
469 * Based on internal redirect handling in mod_cgi.c...
470 *
471 * If a script wants to produce its own Redirect
472 * body, it now has to explicitly *say* "Status: 302"
473 */
476 /*
477 * Location is an relative path. This handler will
478 * consume all script output, then have Apache perform an
479 * internal redirect.
480 */
484 /*
485 * Location is an absolute URL. If the script didn't
486 * produce a Content-type header, this handler will
487 * consume all script output and then have Apache generate
488 * its standard redirect response. Otherwise this handler
489 * will transmit the script's response.
490 */
493 }
494 }
495 }
496 /*
497 * We're responding. Send headers, buffer excess script output.
498 */
501 /* We need to reinstate our timeout, send_http_header() kill()s it */
512 }
517 }
520 BadHeader:
521 /* Log first line of a multi-line header */
527 DuplicateNotAllowed:
530 }
531 \f
532 /*
533 * Read from the client filling both the FastCGI server buffer and the
534 * client buffer with the hopes of buffering the client data before
535 * making the connect() to the FastCGI server. This prevents slow
536 * clients from keeping the FastCGI server in processing longer than is
537 * necessary.
538 */
540 {
560 else
563 }
565 }
568 {
576 /* If fewer than count bytes are written, an error occured.
577 * ap_bwrite() typically forces a flushed write to the client, this
578 * effectively results in a block (and short packets) - it should
579 * be fixed, but I didn't win much support for the idea on new-httpd.
580 * So, without patching Apache, the best way to deal with this is
581 * to size the fcgi_bufs to hold all of the script output (within
582 * reason) so the script can be released from having to wait around
583 * for the transmission to the client to complete. */
584 #ifdef RUSSIAN_APACHE
589 }
590 #else
595 }
596 #endif
599 /* Don't bother with a wrapped buffer, limiting exposure to slow
600 * clients. The BUFF routines don't allow a writev from above,
601 * and don't always memcpy to minimize small write()s, this should
602 * be fixed, but I didn't win much support for the idea on
603 * new-httpd - I'll have to _prove_ its a problem first.. */
605 /* The default behaviour used to be to flush with every write, but this
606 * can tie up the FastCGI server longer than is necessary so its an option now */
608 #ifdef RUSSIAN_APACHE
613 }
614 #else
619 }
620 #endif
621 }
625 }
627 /*******************************************************************************
628 * Determine the user and group suexec should be called with.
629 * Based on code in Apache's create_argv_cmd() (util_script.c).
630 */
632 {
637 }
640 /* its a user dir uri, just send the ~user, and leave it to the PM */
645 else
648 }
652 }
653 }
655 /*******************************************************************************
656 * Close the connection to the FastCGI server. This is normally called by
657 * do_work(), but may also be called as in request pool cleanup.
658 */
660 {
670 /* XXX REQ_COMPLETE is only sent for requests which complete
671 * normally WRT the fcgi app. There is no data sent for
672 * connect() timeouts or requests which complete abnormally.
673 * KillDynamicProcs() and RemoveRecords() need to be looked at
674 * to be sure they can reasonably handle these cases before
675 * sending these sort of stats - theres some funk in there.
676 * XXX We should do something special when this a pool cleanup.
677 */
679 /* there's no point to aborting the request, just log it */
691 }
692 }
693 }
694 }
696 /*******************************************************************************
697 * Connect to the FastCGI server.
698 */
700 {
712 /* Create the connection point */
723 }
725 /* Dynamic app's lockfile handling */
737 {
740 /* Its already running, but there's a newer one,
741 * ask the process manager to start it.
742 * it will notice that the binary is newer,
743 * and do a restart instead.
744 */
747 /* Avoid sleep/alarm interactions */
749 }
757 /* Avoid sleep/alarm interactions */
759 }
762 /* Block until we get a shared (non-exclusive) read Lock */
765 }
767 /* Create the socket */
774 "FD_SETSIZE (%u), you probably need to rebuild Apache with a "
776 }
778 /* If appConnectTimeout is non-zero, setup do a non-blocking connect */
784 }
789 /* Connect */
793 /* ECONNREFUSED means the listen queue is full (or there isn't one).
794 * With dynamic I can at least make sure the PM knows this is occuring */
796 /* @@@ This might be better as some other "kind" of message */
800 }
805 /* The connect() is non-blocking */
826 /* select() timed out */
830 /* XXX These can be moved down when dynamic vars live is a struct */
833 dynamicAppConnectTimeout);
834 }
847 }
858 /* Solaris pending error */
862 /* Berkeley-derived pending error */
865 }
869 ConnectionComplete:
870 /* Return to blocking mode if it was set up */
874 }
876 #ifdef TCP_NODELAY
878 /* We shouldn't be sending small packets and there's no application
879 * level ack of the data we send, so disable Nagle */
882 }
883 #endif
886 }
887 \f
889 {
890 #if defined(SIGPIPE) && MODULE_MAGIC_NUMBER < 19990320
891 /* Make sure we leave with Apache's sigpipe_handler in place */
894 #endif
898 }
901 {
910 }
911 }
913 /*----------------------------------------------------------------------
914 * This is the core routine for moving data between the FastCGI
915 * application and the Web server's client.
916 */
918 {
934 /* Buffer as much of the environment as we can fit */
937 /* Start the Apache dropdead timer. See comments at top of file. */
940 /* Read as much as possible from the client. */
946 }
951 }
953 /* Connect to the FastCGI Application */
959 }
971 }
972 }
974 /* @@@ We never reset the timer in this loop, most folks don't mess w/
975 * Timeout directive which means we've got the 5 min default which is way
976 * to long to tie up a fs. We need a better/configurable solution that
977 * uses the select */
980 /* Register to get the script's stderr logged at the end of the request */
985 /* The socket is writeable, so get the first write out of the way */
990 }
996 /* If we didn't buffer all of the environment yet, buffer some more */
1000 /* Read as much as possible from the client. */
1004 }
1006 /* To avoid deadlock, don't do a blocking select to write to
1007 * the FastCGI application without selecting to read from the
1008 * FastCGI application.
1009 */
1015 /* Is data buffered for output to the FastCGI server? */
1020 }
1021 /*
1022 * If there's data buffered to send to the client, don't
1023 * wait indefinitely for the FastCGI app; the app might
1024 * be doing server push.
1025 */
1029 }
1037 }
1039 /* Check for idle_timeout */
1042 }
1052 }
1053 }
1062 }
1064 /* Killed time somewhere.. client read? */
1070 }
1071 }
1075 }
1081 }
1086 }
1093 }
1100 }
1106 }
1107 }
1109 #if defined(SIGPIPE) && MODULE_MAGIC_NUMBER < 19990320
1110 /* Disable Apache's SIGPIPE handler */
1112 #endif
1114 /* Read from the FastCGI server */
1122 }
1123 }
1129 }
1134 }
1135 }
1137 /* Write to the FastCGI server */
1143 }
1144 }
1146 #if defined(SIGPIPE) && MODULE_MAGIC_NUMBER < 19990320
1147 /* Reinstall Apache's SIGPIPE handler */
1149 #endif
1153 }
1157 #if defined(SIGPIPE) && MODULE_MAGIC_NUMBER < 19990320
1158 /* Make sure we leave with Apache's sigpipe_handler in place */
1161 #endif
1165 }
1166 }
1172 /* we're done talking to the fcgi app */
1175 }
1182 }
1183 }
1191 #ifdef RUSSIAN_APACHE
1193 #else
1195 #endif
1197 }
1211 /*
1212 * XXX We really should be soaking all client input
1213 * and all script output. See mod_cgi.c.
1214 * There's other differences we need to pick up here as well!
1215 * This has to be revisited.
1216 */
1221 }
1225 }
1226 \f
1229 {
1240 }
1241 }
1245 }
1249 /* Its a request for a dynamic FastCGI application */
1254 ap_log_rerror(FCGI_LOG_ERR_NOERRNO, r, "FastCGI: invalid (dynamic) server \"%s\": %s", fs_path, err);
1256 }
1257 }
1286 }
1288 /*
1289 *----------------------------------------------------------------------
1290 *
1291 * handler --
1292 *
1293 * This routine gets called for a request that corresponds to
1294 * a FastCGI connection. It performs the request synchronously.
1295 *
1296 * Results:
1297 * Final status of request: OK or NOT_FOUND or SERVER_ERROR.
1298 *
1299 * Side effects:
1300 * Request performed.
1301 *
1302 *----------------------------------------------------------------------
1303 */
1305 /* Stolen from mod_cgi.c..
1306 * KLUDGE --- for back-combatibility, we don't have to check ExecCGI
1307 * in ScriptAliased directories, which means we need to know if this
1308 * request came through ScriptAlias or not... so the Alias module
1309 * leaves a note for us.
1310 */
1312 {
1315 }
1317 /* If a script wants to produce its own Redirect body, it now
1318 * has to explicitly *say* "Status: 302". If it wants to use
1319 * Apache redirects say "Status: 200". See process_headers().
1320 */
1323 {
1327 /* @@@ There are still differences between the handling in
1328 * mod_cgi and mod_fastcgi. This needs to be revisited.
1329 */
1330 /* We already read the message body (if any), so don't allow
1331 * the redirected request to think it has one. We can ignore
1332 * Transfer-Encoding, since we used REQUEST_CHUNKED_ERROR.
1333 */
1346 }
1347 }
1349 /******************************************************************************
1350 * Process fastcgi-script requests. Based on mod_cgi::cgi_handler().
1351 */
1353 {
1357 /* Setup a new FastCGI request */
1361 /* If its a dynamic invocation, make sure scripts are OK here */
1366 }
1368 /* Process the fastcgi-script request */
1372 /* Special case redirects */
1374 }
1378 {
1384 }
1386 static int post_process_auth_passed_compat_header(table *t, const char *key, const char * const val)
1387 {
1392 }
1394 static int post_process_auth_failed_header(table * const t, const char * const key, const char * const val)
1395 {
1398 }
1401 {
1404 /* Restore the saved subprocess_env because we muddied ours up */
1409 ap_table_do((int (*)(void *, const char *, const char *))post_process_auth_passed_compat_header,
1411 }
1415 }
1416 }
1420 }
1422 /* @@@ Restore these.. its a hack until I rewrite the header handling */
1425 }
1428 {
1438 /* Get the user password */
1445 /* Save the existing subprocess_env, because we're gonna muddy it up */
1451 /* The FastCGI Protocol doesn't differentiate authentication */
1454 /* Do we need compatibility mode? */
1463 /* A redirect shouldn't be allowed during the authentication phase */
1469 }
1474 AuthenticationFailed:
1478 /* @@@ Probably should support custom_responses */
1483 }
1486 {
1495 /* @@@ We should probably honor the existing parameters to the require directive
1496 * as well as allow the definition of new ones (or use the basename of the
1497 * FastCGI server and pass the rest of the directive line), but for now keep
1498 * it simple. */
1503 /* Save the existing subprocess_env, because we're gonna muddy it up */
1510 /* Do we need compatibility mode? */
1519 /* A redirect shouldn't be allowed during the authorization phase */
1525 }
1530 AuthorizationFailed:
1534 /* @@@ Probably should support custom_responses */
1539 }
1542 {
1554 /* Save the existing subprocess_env, because we're gonna muddy it up */
1559 /* The FastCGI Protocol doesn't differentiate access control */
1562 /* Do we need compatibility mode? */
1571 /* A redirect shouldn't be allowed during the access check phase */
1577 }
1582 AccessFailed:
1586 /* @@@ Probably should support custom_responses */
1589 }
1592 \f
1593 command_rec fastcgi_cmds[] = {
1609 "a fastcgi-script path (absolute or relative to ServerRoot) followed by an optional -compat" },
1616 "a fastcgi-script path (absolute or relative to ServerRoot) followed by an optional -compat" },
1623 "a fastcgi-script path (absolute or relative to ServerRoot) followed by an optional -compat" },
1628 };
1631 handler_rec fastcgi_handlers[] = {
1635 };
1638 module MODULE_VAR_EXPORT fastcgi_module = {
1639 STANDARD_MODULE_STUFF,
1657 NULL /* [1] post read-request handling */
1658 };